Malware on the Mac: is there cause for concern? Ars investigates

Is malware truly becoming a problem on the Mac, or are reporters just working …

Malware on the Mac: is it mostly hype or a real problem faced by real people? If you ask John Gruber, the answer might be the former—there are lots of proof-of-concept scenarios and virtually none that manifest themselves beyond a slow news day. If you ask Ed Bott, however, the answer would be the latter—he recently interviewed an AppleCare employee who claimed that the recent release of fake antivirus app "MAC Defender" has caused a spike in malware reports among Mac users.

The truth is hard to tease out. Partly because Mac OS X still makes up a comparatively small percentage of the global OS market share, and partly because Apple itself is a secretive company, it's not easy to find out whether malware on the Mac is indeed becoming more common, or it's simply being reported on more often.

Still, we tried to do exactly that. Ars spoke with 14 different Mac support specialists—including several Apple Store Geniuses—in order to get a handle on whether things have changed when it comes to dealing with malware. Their experiences are all over the map, but the general consensus does seem to lean towards a low amount of malware problems—until you get to the Geniuses.

Not an epidemic?

Many third-party Mac support specialists told us that they had not seen a noticeable spike in malware issues on the Mac recently.

"The majority of Mac users I support are somewhat technical, but even the ones that aren't have been trained (by me) to be paranoid and come running to me if they're not sure about something," longtime Ars forum member Comp Guru, also known as Sean Murphy, told Ars. "MAC Defender is just like 'Security Center 2011' that plagues the Windows 7 users in my office, and a few have actually installed it. One came very close to paying the $85 to make the 'infections' and 'drive errors' go away. Luckily she came to me first and I removed it with Malwarebytes. On the Mac side I'm glad it's an easy-to-remove application if someone does happen to install it."

"In the last 6 months, only one of my clients reported a possible malware [scenario]. I have consulted with other Apple services and the rate is basically the same: one or two people out of 750-1,000 in six months," a Chile-based Apple Certified Help Desk Specialist named Pablo Toledo told Ars. "Mac users here tend to be alert and informed, and only very basic users fall into the trap."

Two out of a thousand in six months seems like a pretty good track record, but others claim to have never seen a single instance of malware on a Mac.

"It certainly hasn't affected the fashion/casting/design/law offices I support, as nobody has made a peep about it. We have deployed the managed preference setting to turn off 'open safe files after downloading' by default for all computers we come into contact with, though," Allister Banks from a consulting firm called POINT said. "When it comes to average home users, the closest to malware I've ever seen is slight JavaScript tomfoolery when SEO people poison Google Image Search results. Sorry, zero evidence, anecdotal or otherwise."

Northwestern University technical support consultant Adam Turetzky agreed. "I’ve been a departmental user support and server admin at Northwestern University in Evanston, IL for 11 years. During that time I have not once seen a user’s Macintosh infected with a virus or malware more serious than a Word macro virus (and I haven’t seen one of those in a long time either)," Turetzky said. "I currently support 42 users and administrate 50+ Macintoshes. Granted, my users are told not to install software on their workstations without consulting with me first, but they don’t always obey the rules and even still we’ve had no instances of malware."

Tom Bridge, a partner at a firm called Technolutionary, seemed to think that Mac users might be better at avoiding malware because of previous experiences on other platforms. "We have yet to see a single one of the Macs we support be hit by MAC Defender or its like," Bridge told Ars. "We have clients that have been taken by these scams before on PCs, and perhaps they are just more well educated against this particular type of scam, but generally speaking, we're not seeing this here in the DC area."

MAC Defender worked on someone—actually, a few someones

One of MAC Defender's many manifestations

Despite the numerous support and IT people we found to testify that malware—MAC Defender, Mac Security, Mac Protector, or any of its other knockoffs—isn't any more of a problem now than it has been in the past, we heard just the opposite from Apple store employees.

"MAC Defender has changed everything," one Apple Store Genius, who requested to remain anonymous (we'll call him Lenny) told Ars. "We probably get 3 or 4 people with this per day. Most of them only got as far as installing the program and haven't entered their credit card details."

Lenny went on. "This always sparks a debate at the bar on whether antivirus software is necessary on the Mac. This is difficult, as the store sells several antivirus products implying that Apple supports the idea, but as many customers point out, the sales guys aren't shy in making the claims for Mac OS X's security. Internally, Apple's [IT] department mandates the use of Norton Antivirus on company machines."

Update: At least one other Genius has brought it to our attention that Lenny's claims about Norton Antivirus might not be 100 percent accurate. It's either a per-store policy (in which case, not all stores have this policy), or there's some confusion about an old policy about requiring Norton Antivirus on machines that had Boot Camp installed. He did say that Apple prefers Norton for antivirus solutions and has a company-wide license for it.

Update x2: We've had several other Apple Store employees now write in about the Norton Antivirus point, especially now after Gruber's new post. One former Genius writes, "All back-of-house Retail machines are imaged using pre-configured images from Apple Corporate. Among the other applications that come as part of the image, Norton Antivirus and Timbuktu Pro are installed. However, most Geniuses create their own images to circumvent the Apple Corporate images and passwords, and because Apple Retail is the deal-with-the-devil arm of Apple Corporate, they turn a blind eye to whatever the Geniuses do. [...] Also, Apple Corporate employees have no idea what goes on in Apple Retail and vice versa."

Another one of MAC Defender's manifestations

A support specialist who we'll call Carl works at an Apple Authorized Campus Store and threw in his two cents as well. "I have never had to remove a virus or malware from a Mac until this month," Carl told Ars. "Now we have had a handful of people come in with MAC Defender on their computer."

And Apple Certified Mac Technician Kevin Copeland at BeachTec agreed. "Since starting my own business in December 2009, the volume of repairs I deal with is a small fraction of the number of machines I saw while I was with Apple (I'm a small, one-man shop). But, anecdotally, I have to say that the MAC Defender trojan appears to have impacted more of the general Mac-using public than all the previous trojans I've dealt with. When I was seeing thousands of computers per year, I ran across maybe half a dozen trojans each year. Now that I'm seeing about two dozen computers per week, I've seen the MAC Defender trojan at least three times in as many weeks."

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui